This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
AaronPW
Contributor
‎2024-11-25 02:07 PM
Jump to solution

How to install a wildcard certificate without generating a CSR from each gateway

Hello. 

I'm trying to use a 3rd party wildcard certificate for GAIA portal access to some of our firewalls.  A CP engineer and I installed wildcard.key file as server.key and the .crt file as server.crt but the IP was still resolving to the ISP domain name so it was giving a domain mismatch error. 

I got that fixed and now the ip resolves to our domain but the website still shows an error and says that the domains do not match. 

I got a new engineer who says we have to do a CSR for each gateway and cannot use the wildcard certificate. 

Is this the case or were we just not communicating?

Labels
0 Kudos
1 Solution

Accepted Solutions
CP_Chris
Employee Employee
Employee
‎2025-04-07 11:00 AM
In response to Daniel_Kavan
Jump to solution

You can use the SAN to create multiple FQDN and IP address matches so a single cert works for the cluster. See https://support.checkpoint.com/results/sk/sk170395. Note it only shows DNS options for FQDN, but you can also use IP options for IP address in case you go to the portal via IP. Example:

subjectAltName = @VPN_names
[vpn_names]
DNS.1 = www.abc.com
DNS.2 = abc.com
DNS.3 = sub.abc.com
DNS.4 = sub2.abc.net
IP.1 = 172.25.105.136
IP.2 = 172.25.105.134

View solution in original post

6 Replies
PhoneBoy
Admin
Admin
‎2024-11-25 03:29 PM
Jump to solution

As far as I know, this is supported.
Are you accessing the Gaia WebUI by FQDN?

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2024-11-25 07:13 PM
Jump to solution

Im fairly positive you can use wildcard cert, had seen customers do it before.

Andy

Best,
Andy
0 Kudos
Daniel_
Advisor
‎2024-11-26 06:23 AM
Jump to solution

Do you use a IP-address for the gateway? That's not possible. The wildcard just includes domains. There is not wildcard IP-address certificate. You have to use FQDN.

0 Kudos
CP_Chris
Employee Employee
Employee
‎2024-12-26 01:11 PM
Jump to solution

If you are wanting to change the GAIA portal certificate - you want to use the Platform Portal section of the Gateway Properties to change the certificate. Don't manually change the files at the CLI. I think it is possible to edit the files, then restart the service, but with the multiportal it is easier to do it this way. Just don't forget to install the policy after making the change.

 
 

portal cert.jpg

Daniel_Kavan
MVP Gold
MVP Gold
‎2025-03-21 08:32 AM
In response to CP_Chris
Jump to solution

And when it's in a cluster you use the internal VIP for the FQDN.  However, since the VIP FQDN of a member is a different ip then the VIP you still get a warning.  Not to mention the standby member...  Also, there is no portal platform section on a manager.   For the manager you must need to trust the CP ICA to your browsers trusted CAs store.

CP_Chris
Employee Employee
Employee
‎2025-04-07 11:00 AM
In response to Daniel_Kavan
Jump to solution

You can use the SAN to create multiple FQDN and IP address matches so a single cert works for the cluster. See https://support.checkpoint.com/results/sk/sk170395. Note it only shows DNS options for FQDN, but you can also use IP options for IP address in case you go to the portal via IP. Example:

subjectAltName = @VPN_names
[vpn_names]
DNS.1 = www.abc.com
DNS.2 = abc.com
DNS.3 = sub.abc.com
DNS.4 = sub2.abc.net
IP.1 = 172.25.105.136
IP.2 = 172.25.105.134

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events